Adobe has issued a critical security patch for its Acrobat and Reader software on Windows and macOS, ending a months-long period during which attackers actively exploited a zero-day vulnerability. The update, released April 11, addresses CVE-2026-34621, a flaw that allowed attackers to execute arbitrary code on a victim's machine simply by having them open a booby-trapped PDF.
While Adobe acknowledged the vulnerability in its latest security advisory, it did not address the flaw until after independent researchers brought the campaign to light. The company stated it is "aware of CVE-2026-34621 being exploited in the wild,” but has yet to explain why it did not disclose the security risk sooner.
Anatomy of the attack
Security researchers discovered that the exploit utilized heavily obfuscated JavaScript to run through legitimate Acrobat APIs. This allowed the malware to profile the host machine, gathering system information to determine if the target was worth a deeper compromise.
If the machine met the attackers' criteria, the malware would escalate privileges to pull down a second-stage payload. This secondary threat was capable of full remote code execution and could break out of the Reader's sandbox environment.
Evidence suggests the campaign has been active since at least late 2025. The attack methodology was designed to blend in with normal software behavior, allowing it to bypass traditional security defenses that rely on signature-based detection.
The nature of the lures suggests a sophisticated, targeted effort rather than random spam. Some of the malicious documents were written in Russian and specifically referenced themes related to the oil and gas industry. This indicates the attackers were focused on specific, high-value targets.
Although the patch effectively closes the vulnerability, it does not undo any previous compromises. Users who opened malicious PDFs during the months the flaw remained unpatched may have already had their systems profiled or fully compromised.
Adobe has not disclosed the total number of affected users nor has it provided details on how the flaw was originally discovered. The company has remained silent on inquiries regarding why the public acknowledgment of the vulnerability lagged behind reports from external researchers.